Some domestic solar power equipment lacks strong defenses, allowing hackers to cast darkness on thousands of homes through simple attacks. A researcher has reported a significant number of security vulnerabilities in inverters from German manufacturer SMA Solar Technology, used in residential photovoltaic installations. The consequences of exploiting the flaws are not limited to home installations and appliances, and could even destabilize electricity grids.
An inverter in solar energy installations converts direct current into alternating current that feeds home appliances; the energy surplus flows into the power grid, which maintains a balance between supply and demand to avoid outages. Creating a spike in the distribution network, either high or low, would create instability and could lead to wide-area blackouts.
In December 2016, penetration tester Willem Westerhof alerted SMA to 21 security bugs in its inverters. Some flaws are remotely exploitable if the photovoltaic ensemble is connected to the internet, and have warranted a critical severity rating. Among the discoveries is the existence of a hidden user account with a hardcoded password that works across all devices.
Another one is the presence of an alternate authentication system intended for installers, which relies on codes provided by the company. However, the codes are predictable and work on any SMA inverter to customize settings for the grid connection.
Problems identified by Westerhof include the possibility to upload a new firmware without authentication. “If an attacker is able to create a custom firmware version that is accepted by the inverter, the inverter is compromised completely. This allows the attacker to do nearly anything: for example, giving access to the local OS, creating a botnet, using the inverters as a stepping stone into companies, etc.,” reads the description of the bug.
A comprehensive view of the sweeping implications of Westerhof’s findings is available on a website created to illustrate a cyber-attack on the solar energy system that the researcher dubbed the Horus scenario. Under this scenario, a hacker could take control of the energy channeled into the grid by a large number of photovoltaic installations and create differences of several gigawatts between supply and demand; this could cause “massive balancing issues which may lead to large scale power outages.”
SMA knows about the vulnerabilities and is taking steps to mitigate them in current products and to increase the safety of its future products. Stakeholders in the energy sector have agreed to include the topic on the agenda of official talks about cyber-security in the industry. The problems revealed by the researcher have reached authorities in the Netherlands, who have agreed to share the details with other countries to prevent far-reaching power failures.
tags
November 14, 2024
September 06, 2024